Skip to content

Commit

Permalink
updated security vulnerability for notSalesforceSetup
Browse files Browse the repository at this point in the history
  • Loading branch information
Alfredo committed Dec 18, 2024
1 parent 496c4ec commit b05296d
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 26 deletions.
24 changes: 15 additions & 9 deletions action/basic.css
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ a {
}
}

a.button,
.button,
button {
position: relative;
display: inline-flex;
Expand All @@ -60,13 +60,10 @@ button {
padding-bottom: 0;
padding-left: 1rem;
padding-right: 1rem;
background-clip: border-box;
border-style: solid;
border-width: 1px;
border: none;
border-radius: 0.25rem;
line-height: 1.875rem;
text-decoration: none;
white-space: none;
user-select: none;
cursor: pointer;
text-transform: none;
Expand All @@ -77,6 +74,19 @@ button {
margin-left: 0.25rem;
width: 4rem;
min-height: 2.3rem;
background-color: #e9e9ed;

&:hover {
background-color: #cccccc;
}
}

.highlight {
background-color: lightblue;

&:hover {
background-color: skyblue;
}
}

.slds-assistive-text {
Expand All @@ -92,10 +102,6 @@ button {
white-space: nowrap !important;
}

.highlight {
background-color: lightblue;
}

.hidden {
display: none !important;
}
2 changes: 1 addition & 1 deletion action/notSalesforceSetup.css
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ body > div {
font-weight: normal;
}

& > a {
& > .button {
width: 10rem;
}
}
52 changes: 36 additions & 16 deletions action/notSalesforceSetup.js
Original file line number Diff line number Diff line change
@@ -1,26 +1,46 @@
// deno-lint-ignore-file no-window
const authorizedDomainRegex = /https:\/\/.*\.lightning\.force\.com/;
const page = new URLSearchParams(window.location.search).get("url");
const textEl = document.querySelector("h3");
const sfsetupTextEl = document.querySelector("h3");

const div = document.createElement("div");
const prefix = document.createTextNode("This is not a ")
const strongEl = document.createElement("strong")
const otherText = document.createTextNode();
const otherText = document.createTextNode("");

sfsetupTextEl.innerText = "";
sfsetupTextEl.appendChild(div);
let insertPrefix = true;
let strongFirst = true;

if (page != null) { // we're in a salesforce page
// switch which button is shown
document.getElementById("login").classList.add("hidden");
const goSetup = document.getElementById("go-setup");
goSetup.classList.remove("hidden");
// update the button href to use the domain
const domain = page.substring(0, page.indexOf("/lightning"));
goSetup.href = `${domain}/lightning/setup/SetupOneHome/home`;
// update the bold on the text
otherText = "Salesforce Lightning";
strongEl = "Setup Page"
// Validate the domain (make sure it's a Salesforce domain)
if (!authorizedDomainRegex.test(page)) {
strongEl.textContent = "Invalid Salesforce";
otherText.textContent = "domain detected.";
insertPrefix = false;
} else {
// switch which button is shown
document.getElementById("login").classList.add("hidden");
const goSetup = document.getElementById("go-setup");
goSetup.classList.remove("hidden");
// update the button href to use the domain
const domain = page.substring(0, page.indexOf("/lightning"));
goSetup.href = `${domain}/lightning/setup/SetupOneHome/home`;

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
.

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
.
// update the bold on the text
otherText.textContent = "Salesforce Lightning";
strongEl.textContent = " Setup Page"
strongFirst = false;
}
} else {
strongEl.textContent = "Salesforce Lightning";
otherText.textContent = " Setup Page";
}
insertPrefix && div.appendChild(prefix);
if(strongFirst){
div.appendChild(strongEl);
div.appendChild(otherText)
} else {
strongEl = "Salesforce Lightning";
otherText = "Setup Page";
div.appendChild(otherText)
div.appendChild(strongEl);
}
textEl.innerText = "";
textEl.insertAdjacentHTML("beforeend", text);

0 comments on commit b05296d

Please sign in to comment.